Privacy Policy for SpendSense

Last Updated: March 5, 2026

Introduction

This Privacy Policy describes how SpendSense ("we", "our", or "the application") collects, uses, and protects your personal information when you use our expense tracking and classification service.

Information We Collect

1. Google Account Information

When you sign in using Google OAuth, we collect:

• Your email address
• Your Google account ID
• Your display name and profile picture (stored in the server-side session)

2. Gmail Data

If you choose to use the Gmail transaction fetching feature, Gmail access happens entirely within your browser:

• Your Gmail access token is obtained via Google Identity Services and stored only in your browser's localStorage — it is never transmitted to or stored on our server
• Email messages from specific financial service providers (banks, payment services) are fetched directly from Gmail by your browser
• Email content is parsed in your browser to extract transaction information (date, amount, description)
• Only the extracted transaction data you choose to import is sent to and stored in the application database

3. Transaction Data

We store:

• Transaction details (date, amount, description, source)
• Manual category assignments you create
• Comments you add to transactions
• Classification metadata (how each transaction was categorized)

4. Usage Data

• Session information (stored in the application database), including your display name and profile picture
• Gmail access tokens are stored only in your browser's localStorage and are never stored server-side

How We Use Your Information

We use the collected information to:

1. Authenticate your access — Verify your identity using Google OAuth
2. Fetch transactions — Your browser retrieves transaction emails directly from Gmail via Google Identity Services; the server receives only the extracted transaction data you choose to import
3. Categorize expenses — Automatically classify transactions using regex patterns and machine learning
4. Generate regex patterns — Optionally use Google Gemini API to generate classification rules from email content
5. Provide analysis — Generate expense reports, charts, and trends
6. Maintain your preferences — Store manual category assignments and comments

Data Storage and Security

Local Storage

• All data is stored locally in the application database
• The application runs on a private server
• No data is transmitted to external servers except as described in the Third-Party Services section below

Encryption at Rest

Sensitive fields are encrypted in the database using AES-256-GCM:

• Transaction descriptions
• Transaction comments

Encryption details:

• Envelope encryption: a per-installation Data Encryption Key (DEK) is wrapped with a Key Encryption Key (KEK) following RFC 3394 key-wrapping
• A 12-byte random nonce is prepended to each encrypted value
• transaction_amount is stored in plaintext (required for aggregation queries)
• An encryption_version column tracks whether each row uses plaintext (0) or AES-256-GCM (1)
• If decryption is unavailable (e.g. missing key), affected fields display as [Encrypted] rather than causing errors

Security Measures

• Google OAuth 2.0 for secure authentication
• Session-based access control with 7-day session expiration
• Session cookies set with HttpOnly and SameSite=Lax flags; Secure flag enabled in production
• Gmail access tokens are managed entirely client-side via Google Identity Services and stored only in localStorage — the server never handles or stores them
• Optional ALLOWED_EMAILS environment variable to restrict access to authorized accounts only

Third-Party Services

Google Services

We use the following Google services:

• Google OAuth 2.0 — For user authentication
• Gmail API — To fetch transaction emails (only when you explicitly initiate a fetch)
• Google Gemini API — Optionally used to generate regex classification patterns from email text; sends email body content to the Gemini API only when you explicitly trigger this feature

SpendSense's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

European Central Bank (ECB)

The application may download daily currency exchange rate tables from the European Central Bank's public data feed. No personal data is transmitted to the ECB — only publicly available rate tables are downloaded.

Data Sharing

We do NOT:

• Sell your data to third parties
• Share your data with advertisers
• Transfer personal data to external services beyond what is described above (Google OAuth, Gmail API, Gemini API when explicitly used)
• Use your data for purposes other than providing the expense tracking service

Gmail API Scope and Usage

Limited Use Disclosure

SpendSense's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. This includes data sent to Google Gemini API, which is used solely to provide the regex pattern generation feature explicitly triggered by the user.

Scopes Used

The application requests the following Gmail API scope, obtained client-side via Google Identity Services in your browser — it is not requested during server-side login:

• https://www.googleapis.com/auth/gmail.readonly — Read-only access to Gmail messages

How We Use Gmail Data

Gmail data is used exclusively to:

1. Search for transaction emails from specific financial service providers — performed by your browser, not the server
2. Extract transaction information (date, amount, merchant name) — performed locally in your browser
3. Store the extracted transaction data you choose to import in the application database
4. Optionally generate regex classification patterns via Gemini API — only when you explicitly trigger this feature; only the email body text for the selected email is sent

Raw Gmail content (email subjects, bodies, or metadata) is never stored on our server. The Gmail access token never leaves your browser. The one exception is the Gemini pattern-generation feature (item 4 above): when you explicitly trigger it, the selected email's body text is sent from your browser to our server, which forwards it to the Gemini API — no other Gmail content reaches the server.

Your Rights and Choices

You have the right to:

1. Access your data — Review all stored transactions and categories through the web interface
2. Modify your data — Edit transaction categories, add comments, and create manual entries
3. Revoke access — Disconnect the application from your Google account at any time via Google Account Permissions

Data Retention

• Transaction data is retained indefinitely unless you manually delete it
• Session data expires after 7 days
• You can delete all data by removing the application database file

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be reflected by updating the "Last Updated" date at the top of this policy. Continued use of the application after changes constitutes acceptance of the updated policy.

Compliance

This application:

• Complies with Google OAuth 2.0 requirements
• Follows Gmail API Terms of Service
• Adheres to the Google API Services User Data Policy, including Limited Use requirements

Contact Information

If you have questions about this Privacy Policy or how your data is handled, please contact:

Open Source

This application is open source. You can review the code to understand exactly how your data is processed:
Repository: https://github.com/lruggieri/spendsense